The number of successful cyberattacks impacting organizations continues to increase, with recent high-profile breaches such as UK outsourcing firm and government contractor Capita incurring recovery costs of up to £20 million.
Generative AI is allowing attackers to innovate and escalate their approach. Darktrace researchers observed a 135% increase in "novel social engineering attacks" across thousands of active customers from January to February 2023 (based on the average change in email attacks detected across Darktrace customers' email deployments). With that in mind, organizations should focus more than ever on their cyber resilience — namely, their ability to withstand, adapt, and recover from cyberattacks that have achieved initial access. Yet the gap between the growing numbers of successful attacks and effective approaches to recovery continues to widen.
Within this context, security teams need help to prepare, recover, and adapt confidently to cyber incidents, and new developments in AI are offering promising signs that they can do so.
Evaluating the Current Picture
With a growing skills shortage in the industry, it has become more and more difficult for humans to keep up with incident management techniques and frameworks. Additionally, the costs associated with tabletop exercises, red/purple team activities, maintaining playbooks, and testing recovery stacks have become increasingly untenable.
Incident response playbooks outline the steps an organization should take to respond to and recover from a particular type of attack and are widely accepted as best practice. These are typically based on predefined, static views of an organization that quickly become outdated and are challenging to maintain and execute in a real-world incident.
Published frameworks are another standard part of the cyber resilience toolkit. These templates and flowcharts tend to lay out discrete linear processes — often lengthy steps designed to occur one after the other, with no concept of the frequent need to shift and adapt as new information arises. Dealing with the complexity gap between the necessarily concise framework and the variety and complexity of real incidents is left to human responders.
Similarly, tabletop exercises, in which stakeholders come together to test incident response plans, can be a useful way of developing experience in decision making. But they are time-intensive and will not test many of the technical tools and processes used in a real-world response.
Moving From a Reactive to an Adaptive Approach
Introducing self-learning artificial intelligence (AI) into incident management can allow teams to engage an incident in more detail and at an earlier stage than they currently can, minimizing disruption to the business.
One of the more challenging security tasks is dedicating time to continuously evaluate readiness to handle an incident, which could occur at any time. AI can add value here by combining a deep understanding of every internal asset and continuous evaluation of coverage and functionality of the recovery stack to assess: How prepared are you for defeating a cyberattack?
During an incident, especially if on a larger scale, AI-powered systems offer full visibility into the scope and details of the compromise, creating a more informed basis on which to manage it. By holding this complex understanding within the software, it can go further by automating much of recovery management. It can automatically adapt planned recovery steps to precise incident details. It can also prioritize assets for remediation based on its deep understanding of that asset's function and role within the incident and the business.
But AI assistance doesn't have to mean relinquishing human control. Rather, AI should augment human teams by presenting simple choices and recommendations based on real-time developments and simplify and automate technical steps where possible. Working together, AI can shorten the time-consuming recovery processes while providing human teams with relevant and timely context to support faster decision making when it counts.
Time savings from AI can extend to record keeping during and after the incident. By collecting forensic evidence automatically and keeping a record of all defensive actions taken, AI can create incident reports at any time. These reports enable teams to communicate clearly to stakeholders what has happened, what they've done about it, and what further actions they are planning to take.
Critically, incident management needs to interact with detection, immediate response, and preventative measures across the rest of the cybersecurity ecosystem. In a landscape where vendor consolidation is top of mind for CISOs and CFOs, incident recovery products that can integrate with these other capabilities provide a compelling case for a single dashboard approach to cyber resilience.
The reality is that cyber incidents are a question of when and not if, so organizations that look to move beyond static incident playbooks and standard frameworks will remain ahead of the game. Leveraging AI and automation to deliver bespoke recovery plans that adapt in real time will allow these companies to achieve new levels of cyber resilience in a fast-moving threat landscape.
About the Author
Matt Bovbjerg joined Darktrace in 2015, specializing in strategic customer deployment architecture and operationalizing Darktrace within large security stacks, before becoming the Vice President of Integrations Architecture. Matt works closely with Darktrace R&D, Technology Alliance Partners, and customers to develop use case-driven third-party integrations, ensuring organizations get the most out of their security investments. Matt holds a Bachelor’s degree in Industrial and Operations Engineering from the University of Michigan.